Description of core php.ini directives

This list includes the core php.ini directives you can set to
configure your PHP setup. Directives handled by extensions are listed
and detailed at the extension documentation pages respectively;
Information on the session directives for example can be found at the
sessions page.

Note:

The defaults listed here are used when php.ini is not loaded; the values for the production and development php.ini may vary.

Tells PHP whether the short form (<? ?>)
of PHP's open tag should be allowed. If you want to use PHP in
combination with XML, you can disable this option in order to
use <?xml ?> inline. Otherwise, you
can print it with PHP, for example: <?php echo '<?xml
version="1.0"?>'; ?>. Also, if disabled, you must use the
long form of the PHP open tag (<?php ?>).

Note:

This directive also affected the shorthand
<?= before PHP 5.4.0,
which is identical to <? echo. Use of this
shortcut required short_open_tag
to be on.
Since PHP 5.4.0, <?= is always available.

Whether to warn when arguments are passed by reference at function call time.
The encouraged method of specifying which arguments should be passed by
reference is in the function declaration. You're encouraged to try and turn
this option Off and make sure your scripts work properly with it in order to
ensure they will work with future versions of the language (you will receive
a warning each time you use this feature).

Passing arguments by reference at function call time was deprecated for
code-cleanliness reasons. A function can modify its arguments in an
undocumented way if it didn't declare that the argument shall be passed by
reference. To prevent side-effects it's better to specify which
arguments are passed by reference in the function declaration only.

Exposes to the world that PHP is installed on the server, which includes the
PHP version within the HTTP header (e.g., X-Powered-By: PHP/5.3.7).
Prior to PHP 5.5.0 the PHP logo guids are also exposed, thus appending them
to the URL of your PHP script would display the appropriate logo
(e.g., » https://www.php.net/?=PHPE9568F34-D428-11d2-A769-00AA001ACF42).
This also affected the output of phpinfo(), as when disabled, the PHP logo
and credits information would not be displayed.

Note:

Since PHP 5.5.0 these guids and the php_logo_guid() function
have been removed from PHP and the guids are replaced with data URIs instead.
Thus accessing the PHP logo via appending the guid to the URL no longer works.
Similarly, turning expose_php off will not affect
seeing the PHP logo in phpinfo().

When set to 1, assertion code will be generated and
executed (development mode). When set to 0,
assertion code will be generated but it will be skipped (not executed)
at runtime. When set to -1, assertion code will not
be generated, making the assertions zero-cost (production mode).

Note:

If a process is started in production mode, zend.assertions
cannot be changed at runtime, since the code for assertions was not generated.

If a process is started in development mode, zend.assertions
cannot be set to -1 at runtime.

Enable compatibility mode with Zend Engine 1 (PHP 4). It affects
the cloning, casting (objects with no properties cast to FALSE or 0), and comparing of objects.
In this mode, objects are passed by value instead of reference by
default.

Enables parsing of source files in multibyte encodings. Enabling zend.multibyte
is required to use character encodings like SJIS, BIG5, etc that contain special
characters in multibyte string data. ISO-8859-1 compatible encodings like UTF-8,
EUC, etc do not require this option.

Enabling zend.multibyte requires the mbstring extension to be available.

This value will be used unless a
declare(encoding=...)
directive appears at the top of the script. When ISO-8859-1 incompatible encoding
is used, both zend.multibyte and zend.script_encoding must be used.

Literal strings will be transliterated from zend.script_enconding to
mbstring.internal_encoding, as if
mb_convert_encoding() would have been called.

This is an Apache1 mod_php-only directive that forces an Apache child to exit if a PHP execution timeout occurred.
Such a timeout causes an internal longjmp() call in Apache1 which can leave some extensions in an inconsistent
state. By terminating the process any outstanding locks or memory will be cleaned up.

Resource Limits

This sets the maximum amount of memory in bytes that a script
is allowed to allocate. This helps prevent poorly written
scripts for eating up all available memory on a server. Note that
to have no memory limit, set this directive to -1.

Prior to PHP 5.2.1, in order to use this directive it had to
be enabled at compile time by using
--enable-memory-limit in the
configure line. This compile-time flag was also required to define
the functions memory_get_usage() and
memory_get_peak_usage() prior to 5.2.1.

When an integer is used, the
value is measured in bytes. Shorthand notation, as described
in this FAQ, may also be used.

Determines the size of the realpath cache to be used by PHP. This
value should be increased on systems where PHP opens many files, to
reflect the quantity of the file operations performed.

The size represents the total number of bytes in the path strings
stored, plus the size of the data associated with the cache entry. This
means that in order to store longer paths in the cache, the cache size
must be larger. This value does not directly control the number of
distinct paths that can be cached.

Sets the order of the EGPCS (Environment,
Get, Post,
Cookie, and Server) variable
parsing. For example, if variables_order
is set to "SP" then PHP will create the
superglobals$_SERVER and
$_POST, but not create
$_ENV, $_GET, and
$_COOKIE. Setting to "" means no
superglobals will be set.

If the deprecated
register_globals
directive is on, then variables_order also
configures the order the ENV,
GET, POST,
COOKIE and SERVER variables
are populated in global scope. So for example if variables_order
is set to "EGPCS", register_globals is enabled,
and both $_GET['action'] and
$_POST['action'] are set, then
$action will contain the value of
$_POST['action'] as P comes
after G in our example directive value.

Warning

In both the CGI and FastCGI SAPIs,
$_SERVER is
also populated by values from the environment; S
is always equivalent to ES regardless of the
placement of E elsewhere in this directive.

Note:

The content and order of
$_REQUEST is also
affected by this directive.

When enabled, the SERVER, REQUEST, and ENV variables are created when they're
first used (Just In Time) instead of when the script starts. If these
variables are not used within a script, having this directive on will
result in a performance gain.

Please note that register_globals
cannot be set at runtime (ini_set()). Although, you can
use .htaccess if your host allows it as described
above. An example .htaccess entry:
php_flag register_globals off.

Tells PHP whether or not to register the deprecated long
$HTTP_*_VARS type
predefined
variables. When On (default), long predefined PHP
variables like $HTTP_GET_VARS will be defined.
If you're not using them, it's recommended to turn them off,
for performance reasons. Instead, use the superglobal arrays,
like $_GET.
This directive became available in PHP 5.0.0.

Warning

This feature has been
DEPRECATED as of PHP 5.3.0 and REMOVED
as of PHP 5.4.0.

Disabling this option causes $_POST and
$_FILESnot to be populated.
The only way to read postdata will then be through the
php://input stream wrapper.
This can be useful to proxy requests or to process
the POST data in a memory efficient fashion.

Sets max size of post data allowed. This setting also affects
file upload. To upload large files, this value must be larger
than upload_max_filesize.
Generally speaking,
memory_limit should be
larger than post_max_size.
When an integer is used, the
value is measured in bytes. Shorthand notation, as described
in this FAQ, may also be used.
If the size of post data is greater than post_max_size, the
$_POST and $_FILESsuperglobals
are empty. This can be tracked in various ways, e.g. by passing the
$_GET variable to the script processing the data,
i.e. <form action="edit.php?processed=1">,
and then checking if $_GET['processed'] is set.

Note:

PHP allows shortcuts for byte values, including K (kilo), M (mega)
and G (giga). PHP will do the conversions automatically if you
use any of these. Be careful not to exceed the 32 bit signed integer
limit (if you're using 32bit versions) as it will cause your script
to fail.

Changelog for post_max_size

Version

Description

5.3.4

post_max_size = 0 will not disable the limit when the content
type is application/x-www-form-urlencoded or is not registered with PHP.

This feature was
DEPRECATED in PHP 5.6.0, and
REMOVED as of PHP 7.0.0.

If set to TRUE, PHP will always populate the
$HTTP_RAW_POST_DATA containing the raw POST data.
Otherwise, the variable is populated only when the MIME type of the
data is unrecognised.

The preferred method for accessing raw POST data is
php://input, and
$HTTP_RAW_POST_DATA is deprecated in PHP 5.6.0
onwards. Setting always_populate_raw_post_data
to -1 will opt into the new behaviour that will be
implemented in a future version of PHP, in which
$HTTP_RAW_POST_DATA is never defined.

Regardless of the setting, $HTTP_RAW_POST_DATA is
not available with enctype="multipart/form-data".

PHP considers each entry in the include path separately when looking for
files to include. It will check the first path, and if it doesn't find
it, check the next path, until it either locates the included file or
returns with an
E_WARNING
or an E_ERROR.
You may modify or set your include path at runtime using
set_include_path().

Example #1 Unix include_path

include_path=".:/php/includes"

Example #2 Windows include_path

include_path=".;c:\php\includes"

Using a . in the include path allows for
relative includes as it means the current directory. However,
it is more efficient to explicitly use include
'./file' than having PHP always check the current
directory for every include.

Note:

ENV variables are also accessible in .ini files.
As such it is possible to reference the home directory using
${LOGIN} and ${USER}.

Environment variables may vary between Server APIs as those environments
may be different.

Limit the files that can be accessed by PHP to the specified
directory-tree, including the file itself. This directive
is NOT affected by whether Safe Mode is
turned On or Off.

When a script tries to access the filesystem, for example using
include, or fopen(), the location of the file
is checked.
When the file is outside the specified directory-tree, PHP will refuse to access it.
All symbolic links are resolved, so it's not possible to avoid this restriction
with a symlink. If the file doesn't exist then the symlink couldn't be
resolved and the filename is compared to (a resolved) open_basedir.

open_basedir can affect more than just filesystem functions; for example
if MySQL is configured to use mysqlnd drivers,
LOAD DATA INFILE will be affected by open_basedir.
Much of the extended functionality of PHP uses open_basedir in this way.

The special value .
indicates that the working directory of the script will be used as the
base-directory. This is, however, a little dangerous as the working directory
of the script can easily be changed with chdir().

In httpd.conf, open_basedir can be turned off
(e.g. for some virtual hosts)
the same way as
any other configuration directive with "php_admin_value open_basedir
none".

Under Windows, separate the directories with a semicolon. On all
other systems, separate the directories with a colon. As an Apache
module, open_basedir paths from parent directories are now
automatically inherited.

The restriction specified with open_basedir is a
directory name since PHP 5.2.16 and 5.3.4. Previous versions used it
as a prefix. This means that "open_basedir
= /dir/incl" also allowed access to "/dir/include" and
"/dir/incls" if they exist. When you want to restrict access
to only the specified directory, end with a slash. For example:
open_basedir = /dir/incl/

The default is to allow all files to be opened.

Note:

As of PHP 5.3.0 open_basedir can be tightened at run-time. This means
that if open_basedir is set to /www/ in php.ini
a script can tighten the configuration to
/www/tmp/ at run-time with
ini_set(). When listing several directories, you
can use the PATH_SEPARATOR constant as a separator
regardless of the operating system.

PHP's "root directory" on the server. Only used if
non-empty. If PHP is configured with safe mode, no files outside
this directory are served.
If PHP was not compiled with FORCE_REDIRECT, you should
set doc_root if you are running PHP as a CGI under any web
server (other than IIS). The alternative is to use the
cgi.force_redirect configuration below.

Controls whether CGI PHP checks for line starting
with #! (shebang) at the top of the running script.
This line might be needed if the script support running both as
stand-alone script and via PHP CGI. PHP in
CGI mode skips this line and ignores its content if
this directive is turned on.

Provides realPATH_INFO/
PATH_TRANSLATED support for CGI.
PHP's previous behaviour was to set PATH_TRANSLATED
to SCRIPT_FILENAME, and to not grok what
PATH_INFO is. For more information on
PATH_INFO, see the CGI specs.
Setting this to 1 will cause PHP
CGI to fix its paths to conform to the spec. A
setting of zero causes PHP to behave as before. It is turned on by
default. You should fix your scripts to use
SCRIPT_FILENAME rather than
PATH_TRANSLATED.

If cgi.force_redirect is turned on, and you are not running under
Apache or Netscape (iPlanet) web servers, you may
need to set an environment variable name that PHP will look for to
know it is OK to continue execution.

Note:

Setting this variable may cause security issues,
know what you are doing first.

Tells PHP what type of headers to use when sending HTTP response
code. If it's set to 0, PHP sends a » RFC 3875
"Status:" header that is supported by Apache and other web servers. When this option
is set to 1, PHP will send » RFC 2616 compliant
headers.

If this option is enabled, and you are running PHP in a CGI environment (e.g. PHP-FPM)
you should not use standard RFC 2616 style HTTP status response headers, you should
instead use their RFC 3875 equivalent e.g. instead of header("HTTP/1.0 404 Not found");
you should use header("Status: 404 Not Found");

FastCGI under IIS (on WINNT based OS) supports the ability to impersonate
security tokens of the calling client. This allows IIS to define the
security context that the request runs under. mod_fastcgi under Apache
does not currently support this feature (03/17/2002)
Set to 1 if running under IIS. Default is zero.

The temporary directory used for storing files when doing
file upload. Must be writable by whatever user PHP
is running as. If not specified PHP will use the system's default.

If the directory specified here is not writable, PHP falls back to
the system default temporary directory. If
open_basedir is on, then
the system default directory must be allowed for an upload to
succeed.

General SQL

If turned on, database connection functions that specify default values
will use those values in place of any user-supplied arguments. For details
on the default values, see the documentation for the relevant connection
functions.